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ABSTRACT 

A concept of operations for air traffic management consists of a set of flight rules and procedures aimed to keep 
aircraft safely separated. This paper reports on the formal verification of separation properties of the NASA’s Small Aircraft 
Transportation System, Higher Volume Operations (SATS HVO) concept for non-towered, non-radar airports. Based on 
a geometric description of the SATS HVO air space, we derive analytical formulas to compute spacing requirements on 
nominal approaches. Then, we model the operational concept by a hybrid non-deterministic asynchronous state transition 
system. Using an explicit state exploration technique, we show that the spacing requirements are always satisfied on 
nominal approaches. All the mathematical development presented in this paper has been formally verified in the Prototype 
Verification System (PVS). 

Keywords. Formal verification, hybrid systems, air traffic management, theorem proving 

INTRODUCTION 

The safety objective of air traffic management is to provide aircraft separation. This objective is achieved trough 
air/ground equipment and a set of flight rules and procedures, usually called concept of operations. Emerging and more 
reliable surveillance and communication technologies have enabled new concepts where pilots and air traffic controllers 
share the responsibility for traffic separation. One of such concepts is NASA’s Small Aircraft Transportation System (SATS), 
Higher Volume Operation (SATS HVO ) [Ref. lj. 

The SATS program [Ref. 6] aims to increase access to small airports in the US during instrument approach operations. 
Currently, under poor weather conditions, small airports are restricted to one-in/one-out operations. The SATS HVO 
concept enables up to four simultaneous arrival approaches and multiple departures. A key aspect of the concept is that, 
under nominal operations, aircraft are self-separated, i.e., pilots are responsible for separation without assistance of an air 
traffic controller. To this end, the SATS HVO concept designs the airspace surrounding the airport as a Self-Controlled Area 
(SCA). A centralized, automated system, called the Airport Management Module (AMM), serves as an arbiter to aircraft 
entering the SCA. In this concept, aircraft constantly broadcast their locations and, therefore, they have an updated view of 
the SCA. 

The SATS HVO operational concept is a collection of rules and procedures to be followed by aircraft operating or 
transitioning in/out the SCA. For instance the concept of operations states when and how an aircraft is allowed to enter (or 
leave) the SCA, when an aircraft is allowed to initiate the approach, and how to perform a missed approach. In order to 
alleviate pilot workload and increase situation awareness, on board navigation tools provide advisories that assist pilots in 
following these procedures. 

Because the operational concept is a safety critical element of the SATS program, the task of showing that it satisfies 
safety requirements is acomplished using formal mathematical analysis. A discrete mathematical model of the SATS HVO 
operational concept is described in [Ref. 5], That model was mechanically checked for safety and liveness properties. As 
result of this research, several modification were incorporated to the concept [Ref. 2], 
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Figure 1 : Top and side view of SCA 


The discrete model in [Ref. 2,5] is not precise enough to enable verification of spacing properties. In this paper, we 
described a hybrid model that extends the discrete model to take into account the geometry of the SCA and the aircraft 
speed performances. Using this new model, we formally verified that the SATS HVO operational concept effectively 
achieves self-separation, i.e., aircraft performing nominal approaches are safely separated according to minimum spacing 
criteria. 

HIGHER VOLUME OPERATIONS 

In the SATS HVO concept, pilots operating within the Self-Controlled Area (SCA) are required to fly by latitude/longitude 
points in the space, called fixes. Similar to a GPS-T approach [Ref. 3], fixes are arranged as a T (see Figure l). 1 The fixes at 
the extremes of the T are called initial approach fixes (IAF’s) and they are the entry points to the SCA. The IAF’s also serve 
as missed approach holding fixes (MAHF’s), i.e., fixes where aircraft will proceed in case they have to perform a missed 
approach. The holding areas are located at 2000 feet and 3000 feet at the IAF’s. 

There are two types of entry procedures: vertical entry and lateral entry. In a vertical entry, an aircraft holds at 3000 
feet until it is enabled to descend to 2000 feet. In a lateral entry an aircraft flies directly to its IAF at 2000 feet. When the 
aircraft is enabled to initiate the approach, it flies to the intermediate fix (IF), from there to the final approach fix (FAF), and 
finally to the runway threshold. In case of a missed approach, the aircraft flies to its assigned missed approach holding fix 
at the lowest available altitude (2000 or 3000 feet). Then, it re-initiates the approach and either follows a normal landing 
procedure or leaves the SCA. The linear segments between the IAFs and the IF are called base segments and the segment 
between the IF and the runway threshold is called final segment. Henceforth, we say that an aircraft is on final approach if 
it is in the base of final segments. 

The Airport Management Module (AMM) is an automated centralized system that resides at the airport grounds. It 
receives state information from aircraft in the vicinity of the airport and communicates with aircraft via data link. The AMM 
provides entry clearances (vertical or lateral) and assigns missed approach holding fixes. When an entry is granted by the 
AMM, the aircraft receives a follow notification and a missed approach holding fix assignment. The follow notification is 
either none, if it is the first aircraft in the landing sequence, or the identification of a lead aircraft. Missed approach holding 
fixes are assigned by the AMM on an alternating basis. This technique ensures that consecutive aircraft on missed approach 
are not flying to the same MAHF. 

1 As it is usually depicted, right and left are relative to the pilot facing the runway, i.e., opposite from the reader’s point of view. 
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Figure 2: Discrete view of SCA 


For nominal arrival operations, self-separation is achieved by requiring an aircraft to hold at its IAF until it meets a 
spacing safety threshold with respect to its lead aircraft. The threshold shall guarantee a minimum separation during the 
approach and during a missed approach, in case of this eventuality. 

The concept of operations also describes nominal departure operations. Flowever, for simplicity, the analysis presented 
in this paper only considers arrival operations. This simplification does not affect the result of the formal verification as 
arriving aircraft are geographically separated from departing aircraft and an aircraft cannot depart if there is an aircraft on 
final approach. The fact that departing aircraft are also separated can be verified using the techniques presented in this 
paper. 

DISCRETE MODEL AND ITS LIMITATIONS 

The discrete model described in [Ref. 2,5] is a mathematical abstraction of the SATS HVO concept. A simple way to 
visualize that model is via an analogy with a board game where the board is a discretized SCA, the pieces that move across 
the board are the aircraft, and the rules of the game are given by the concept of operations. This analogy is illustrated in 
Figure 2. The places where an aircraft can be during an arrival operation are called zones. There are 12 zones: 

• holding3 (left, right): Holding patterns at 3000 feet. 

• holding2 (left, right): Holding patterns at 2000 feet. 

• lez (left, right): Lateral entry zones. 2 

• base (left, right): Base segments. 

• maz (left, right): Missed approach zones. 

• final and runway: Final segment and runway. 

An aircraft is always in one and only one zone, but several aircraft may be in the same zone. Aircraft leave the zones in the 
same order as they arrive. The arrows in Figure 2 are the valid moves and they represent 15 flight rules and procedures: 

• Vertical entry (left, right): Initial move to holding3. 

• Lateral entry (left, right): Initial move to lez. 

• Descend (left, right): Move from holding3 to holding2. 

2 Lateral entry zones start outside the SCA. 
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(a) Aircraft A and B are separated 



(b) Aircraft A and B are not separated 


Figure 3: Indistinguishable discrete states 


• Approach initiation (left, right): Move from holding2 to base. 

• Final approach (left, right): Move from base to final. 

• Landing: Move from final to runway. 

• Missed approach initiation (left, right): Move from final to maz. 

• Transition to lowest available altitude (left, right). Move from maz to either holding3 or holding2. 

In this model, each aircraft is represented by its initial approach fix (left or right), landing sequence (natural number), 
and missed approach holding fix assignment (left or right). Aircraft identifications are implicit as aircraft can be distin- 
guished from each other by their landing sequence. The AMM is modeled by the next available landing sequence (natural 
number) and the next alternating missed approach holding fix (left or right). 

The discrete model is conservative in the sense that it abstracts away the SCA geometry and physical performance 
parameters of the aircraft. Hence, it includes scenarios that may no physically occur in the real world. We argue that the 
model is complete, i.e., it includes all nominal operations. Of course, this cannot be proved formally. However, the model 
has been extensively reviewed by the developers of the SATS HVO concept as it was used as a designing tool of the final 
concept [Ref. 2], 

From a mathematical point of view, the discrete model is a state transition system where the states are snapshots of 
the zones at discrete times and the transitions describe how the states evolve when the flight procedures are applied. A 
priori, there are no bounds on the number of aircraft in each zone; therefore, the transition system is potentially infinite. 
However, it turns out that the transition system is finite. Indeed, it was exhaustively explored [Ref. 5] using the verification 
system PVS [Ref. 7], Among several other properties, it was formally verified that the model of the SATS HVO concept 
allows up to four simultaneous arrival approaches, which is better than the current one-in/one-out mode of operation, and 
that eventually all aircraft land or depart, i.e., there are no deadlocks. 

The discrete model does not support verification of spacing properties. In particular, the two states depicted in Figure 3 
are indistinguishable by the discrete model, although they do not satisfy the same separation requirements. This behavior is 
due to the way the approach initiation procedure was written in the discrete model. Indeed, the concept of operations states 
that an aircraft may initiate the approach if (a) it is the first aircraft in the landing sequence or (b) it meets a safety threshold 
with respect to the lead aircraft, which is already on approach [Ref. 1], There are several ways a pilot can check whether the 
safety threshold is satisfied or not. In the most conservative case, the pilot has to delay the approach initiation until the lead 
aircraft is within 6 nautical miles from the runway. The value 6 is for a nominal SCA where the base segments are 5 nautical 
miles and the final segment is 10 nautical miles. In the general case, this value is configurable according to the geometry of 
the SCA. Since the geometry of the aircraft is not considered in the discrete model, the approach initiation procedure has to 
be modified. The condition (a) rests the same. However, the discrete model uses a weaker condition (b) where an aircraft 
can initiate the approach as soon as the lead aircraft is already on the final approach (base or final segments). As the safety 
threshold is not checked, spacing properties cannot be verified using the discrete model. 

In order to verify spacing properties, we need a more accurate modeling of the approach initiation procedure. To this 
end, we extend the discrete model of the SATS HVO concept with continuous variables that encode the geometry of the 
SCA and the aircraft speed performances. Before that, we formally specify the spacing requirements. 
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H — base( right) — h 



final 


Figure 4: Linear distance from IAF 


SPACING REQUIREMENTS 

The term spacing refers to linear separation of an aircraft with respect to a lead aircraft. If both aircraft are not flying 
the same approach, spacing is usually computed relative the merging point of their linear trajectories. For instance, in a 
symmetric SCA, if the trail and lead aircraft are on opposite initial approach fixes their spacing is 0, although their Euclidean 
distance is twice the length of the of the base segments. Note that, independently of the initial Euclidean distance, if both 
aircraft start the approach at roughly the same time and speed, they will have a conflict at the merging point. 

Assume that the geometry of the SCA is described by base(left), base(right), final, maz(left), and maz{riglit), which 
are the lengths of the left and right base segments, final segment, and left and right missed approach zones, respectively. 
We define Da (t) as the linear distance at time t of an aircraft A from its initial approach fix. For instance, in Figure 4, 

D A {t) = base(right) A final + 2. (1) 


In a symmetric SCA, i.e., base(left) = base(right ) and maz(left ) = maz(right), the spacing at time t between an 
aircraft A and its lead aircraft B is simply defined as Ds{t) — D A (t). However, in the general case, we must consider the 
difference in length of the base segments. Hence, if B is before A in the landing sequence, the spacing between A and B 
is defined as 


S A —> b (t) = D B (t) — Da(P) A base(iaf A ) — base(iaf B ). ( 2 ) 

Now, we specify the spacing requirements to be formally verified. 

Proposition 1. Under nominal operations, aircraft A and B on final approach at time t, such that B is the lead aircraft of 
A, satisfy the following spacing requirement: 

St < Sa^b (t) • (3) 

Proposition 2. Under nominal operations, A and B on final approach, on missed approach at the same fix at time t, such 
that B is before A in the landing sequence, satisfy the following spacing requirement: 

Smaz < S A —*B(t) . ( 4 ) 

The constants St and Smaz are the theoretical spacing that the concept guarantees on final approach and missed 
approach, respectively. These constants are determined by the geometry of the SCA, the minimum and maximum speed of 
the aircraft, i.e., t> m in and Umax, and the initial spacing between the aircraft, i.e.. So, as follows: 

St = So ( Umax A final So)A„, (5) 

Smaz — min )L rn i n -(- final L maz & v ,2Sq ( U max -{- final A L maz So) , (6) 
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where 


A„ = 


min(base(left), base(right)), 

(7) 

max( base(left), base(right)), 

(8) 

ma x(maz(left) , base(right)), 

(9) 

^max ^min 

(10) 


HYBRID MODEL 

The hybrid model of the SATS HVO concept extends the discrete state of the original model with the following 
continuous variables: 


• A current time t that evolves in a continuous way. 

• For each aircraft A on final approach or missed approach, the linear distance from its IAF, i.e., D A (i)- We assume 
that the speed of an aircraft may vary with time in the interval [itmin, Umax]. Therefore, the value of DA{t) is 
constrained by 

(fl fo)ttmin A Da(J'i') B A (to) A (t\ fo)ttmax> (1 1) 

if to < ti (to and fi are measured in the same approach operation). 

These continuous variables allow us to state the approach initiation rule in a more precise way: 

• Approach initiation for vertical and lateral entry (left and right): An aircraft A may initiate the approach when (a) 
it is the first aircraft in the landing sequence or (b) its lead aircraft B is already on the final approach (base or final 
segments) and 


So < S A ^ B (t). 

Other transitions have to be modified as well to handle the new variables: 


( 12 ) 


Merging: An aircraft A in the base segment turns to the final segment when 

D A (t) = base(iaf A ). 


(13) 


Missed approach initiation: An aircraft A in the final segment may go to the missed approach zone when it is the 
first aircraft in the landing sequence and 


D A (f) = base(iaf A ) + final. 


(14) 


Landing: An aircraft A in the final segment may land if it is the first aircraft in the landing sequence, there is no 
other aircraft in the runway, and 


D A (f) = base(iaf A ) + final. 


(15) 


• Determination of lowest available altitude (left and right): An aircraft A on missed approach may go to the holding 
fix at the lowest available altitude when 

D A (t) — base(iaf A )+final+maz(mahf A ). (16) 

In the next section, we show how Propositions 1 and 2 can be mechanically verified on this hybrid transition system. 
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MECHANICAL VERIFICATION 

The discrete model of the SATS HVO concept was written in PVS and verified using a state exploration PVS tool 
called Besc [Ref. 5]. Roughly speaking, Besc is a basic explicit model checker, written and formally verified in PVS. 3 Early 
attempts to analyze the hybrid transition system described in this paper, using a hybrid model checker, e.g., HyTech [Ref. 4], 
were unsuccessful due to the complexity of the SATS HVO model. We tried a different approach: we encoded the hybrid 
transition system as a discrete one and explored it using Besc. 

We first note that the discrete system is a valid abstraction of the SATS HVO concept. From a high level, all the 
reachable states in the hybrid system are reachable in the discrete system (modulo the common discrete variables). Of 
course, the converse is not true: not all the reachable states of the discrete system are reachable in the hybrid system; in 
particular, those states violating the spacing requirements should not be reachable in the hybrid system. Therefore, if we 
take all the reachable states in the discrete system and eliminate those that do not satisfy the continuous behavior expressed 
by Formulas (12)— (16), we should still have a valid abstraction of the SATS HVO concept. 

Instead of eliminating states, we simply add the continuous behavior as constraints to the reachable states in the discrete 
system at the same time as the transitions take place. For instance, after a Merging rule, according to Formula (13), it should 
hold that 


base(iaf A ) < DA(t) < base(iaf A ) + final. (17) 

The semantics of a constrained state is that it is a valid reachable state if it is reachable in the discrete system and, moreover, 
all its constraints hold. The verification objective is to show that for each one of these hybrid reachable states. Propositions 1 
and 2 hold. 

Hybrid System as a Constrained Discrete System 

In order to write the hybrid system as a discrete transition system, the continuous behaviors is encoded using symbolic 
constraints. A PVS data type, called Constraint, is inductively defined according to the following grammar: 


A, B 
s 
T 
e,/ 

Constraint 


1 , 2 ,... 

left | right \ iaf A \ mahf A 

t | T a 

T | D a (T) | base(s) \ final \ maz(s) \ S 0 \ L min \ L max \ L maz \ S a ^b(T) \e + f 

e < f 


(18) 

(19) 

( 20 ) 
( 21 ) 
( 22 ) 


We use the variable Ta to denote the time when aircraft A initiates the approach. 


The global state of the SCA is extended with a new field constraints, which is a list of Constraints that hold 
at a particular state. The hybrid transition system described before is encoded as follows: 


• Approach initiation for vertical and lateral entry (left and right): Let A be the aircraft that initiates the approach. 
The following symbolic constraints are added to constraints: 


- The fact that A is in the base segment, i.e, 

Ta < t, (23) 

D A (t) < base(iaf A ). (24) 

- If B is the lead aircraft of A, the fact that the aircraft are spaced at time Ta, i.e., 

Tb < T a , (25) 

So < S A -,b{T a )- (26) 

- For all aircraft C on missed approach, the fact that C was ahead of A: 

base(iaf A ) + final < Dc(Ta). (27) 

3 Besc is available from http : / /research . nianet . org/~munoz/Besc. 
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• Merging : Let A be that aircraft that goes into the final segment. Constraint (24) is removed from constraints. 
Moreover, the fact that A is in the final segment is added to constraints: 

D A (t) < base(iaf A ) + final. (28) 

• Missed approach initiation: Let A be the aircraft that initiates the missed approach. Constraint (28) is removed from 
constraints. Moreover, the fact that A is on missed approach is added to constraints: 

D A (t) < base(iaf A ) + final + maz(mahf A ). (29) 

• Landing: Let A be the aircraft that is landing. All constraints related to A are removed from constraints except 
instances of Constraints (25) and(26) when B, the previous lead aircraft of A, is on missed approach. 

• Determination of lowest available altitude ( left and right): Let A be the aircraft that goes to the lowest available 
altitude. All constraints related to A are removed from constraints. 

State Exploration 

To verify Propositions 1 and 2, we have to prove the following invariant properties for every reachable state s. 

Invariant 1. For each pair of aircraft A and B in s such that A and B are on final approach at time t, and B is the lead 
of aircraft A, 

constraints(s) ==>• St < Sa->b(£)- (30) 

Invariant 2. For each pair of aircraft A and B in s such that they are on missed approach to the same fix at time t, and B 
is before A in the landing sequence, 

constraints(s) ==$■ Sm A z < S A ^B(t). (31) 

We remark that the constraints are just data without any logical meaning. Thus, the invariant properties cannot be 
checked on the fly during the state exploration process. The mechanical verification proceeds in three different stages. In 
the first stage, the transition system is fully explored in PVS using the explicit model checker Besc. In order to get a finite 
system, the constraints are implemented as a set rather than a list to avoid repetitions. Besc reports a total of 2768 reachable 
states and a diameter, maximum length of a path, of 27 states. 

In the second stage, we process the set of reachable states using an external tool called PVSio 4 and generate a PVS 
file where there is a lemma for each possible instance of Invariant 1 or Invariant 2. Without counting repetitions, 117 
spacing lemmas were generated. From those, 73 lemmas are instances of the first invariant and the remaining 44 lemmas 
are instances of the second one. 

In addition to the spacing lemmas, proof scripts, which automatically discharge these lemmas, are also generated. In 
the final stage of the mechanical verification task, the proof scripts are checked in batch mode via the utilities provided by 
ProofLite. 5 After a couple of minutes, ProofLite reports that all 117 lemmas are proved in PVS. 

The proof scripts that are automatically generated are based on three lemmas. One lemma, called T, takes care of 
instances of Invariant 1 . The other two lemmas, called Mazl and Maz2, handle particular cases of Invariant 2. The rest of 
this section sketches the proof of these lemmas. 

Three Lemmas 

The lemmas described here were mechanically checked in PVS. Afterward, they were integrated into a PVS strategy 
that mechanically discharges the automatically generated spacing lemmas. 

First, we present some auxiliary properties. The time when an aircraft A initiates the final approach, i.e., when it enters 
the base segment, is denoted T A . Hence, by definition, 

D a (T a ) = 0. (32) 

4 PVSio enhances the PVS ground evaluator with input/output operations. It is available from http : / /research . nianet . org/ 
"munoz/ PVSio. 

5 ProofLite is a PVS tool for non-interactive proof checking. It is available from http : //research . nianet . org/~munoz/ 
ProofLite. 
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Therefore, Constraint (26) is equivalent to 

So + base(iaf B ) — base(iaf A ) < Db{Ta )• (33) 

Furthermore, if A is on final approach at time t. Constraint (24) and Constraint (28) yield 

D A (t) < base(iaf A ) + final. (34) 


Lemma 1 (T). Let A and B be aircraft on final approach at time t such that B is the lead of aircraft A. It holds 


under the hypotheses 


So — (L max + final — So)A„ < Sa-.s(^), 


T a 

So + base[iaf B ) — base(iaf A ) 
Dg{t ) 


< t 

< D b (T a ), 

< base{iaf B ) + final. 


(35) 


(36) 

(37) 

(38) 


(Formula (36) is the Constraint (23), Formula (37) is the spacing constraint from Formula (33), and Formula (38) is the 
instantiation of Formula (34) on aircraft B, which is on final approach.) 


Proof Subtracting Formula (37) from Formula (38), we get 


Z)fl(t) — Db{Ta) < base(iaf A ) + final — So- 

Using Formula (1 1) on A and B , 


Formula 41 yields 


From Formulas (39) and (40), 


Flence, 


{t~T A )Vjnm < D B (t) — D B (Ta) , 
D A (t) — Da(Ta) < (t — Ta)v max- 


D A (t) < (t — Ta) Umax 


t-T A < 


base(iaf A ) + final — So 
Vmin 


Sa^b ( t ) = 


> 

> 

> 

> 


Dg(t) — D A {t) + base(iaf A ) — base(iaf B ) 

D b (T a ) + ( D B (t ) - D b (T a )) - D A {t) + base(iaf A ) - base(iaf B ) 
So + (D B {t) - D b {T a )) ~ D A (t), by Formula (37), 

So + (t- T a) Vmin — (t — T a ) Umax, by Formulas (40) and (42), 

So — ( base(iaf A ) + final — So ) tmax -222- , by Formula (43), 

^min 

So — ( Lmax + final — So) A„, by Formulas (8) and (10). 


(39) 

(40) 

(41) 

(42) 

(43) 


B 


Lemma 2 (Mazl). Let A and B be aircraft on missed approach at time t such that B is before A in the landing sequence. 
Furthermore, assume that when A initiated the approach, B was on missed approach. It holds 

Lmin final LmazA v ^ Sa — *b{I), (44) 


under the hypotheses 


Ta < t (45) 

Ds{t) < base(iaf B ) + final + maz(mahf B ), (46) 

base(iaf B ) + final < Db(Ta). (47) 


(Formula (45) is the Constraint (23), Formula (46) is the instantiation of Constraint (29) on aircraft B, and Formula (47) 
is the additional assumption about aircraft A and B.) 
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Proof. Subtracting Formula (47) from Formula (46), we get 

D B (t) — Db{Ta ) < maz(mahf B ). 

Formulas (40)-(42) are derived as in Lemma 1 . From Formulas (40) and (48), 

f _ Ta < maz{mahf B ) 

ttmin 

Flence, 


Sa — *B (f) 


= Ds(f) — D A {t) + base(iaf A ) — base(iaf B ) 

= D b (T a ) + ( D B {t ) - D b {T a )) - D A {t) + base(iaf A ) - base(iaf B ) 

> base(iaf A ) + final + — D b (Ta)) — DA(t), by Formula (47), 

> base(iaf A ) + final + (t — Lijomin — (t — TA)v m ax , by Formulas (40) and (42), 

> base(iaf A ) + final — maz(mahf B )- r ^ ><: tmln , by Formula (49), 

Vmin 

> L min + final - Lmaz A„, by Formulas (7), (9), and ( 10). 


(48) 


(49) 


□ 


Lemma 3 (Maz2). Let A and B be aircraft on missed approach at time t such that B is before A in the landing sequence. 
Furthermore, assume that when A initiated the approach, aircraft B and X where on final approach, B was the lead of 
aircraft X, and X was the lead aircraft of A. It holds 


2So — ( Lmax + final + L maz — So)X v < SA^ B {t), (50) 

under the hypotheses 

T a < t (51) 

T x < T a (52) 

D B (t) < base(iaf B ) + final + maz(mahf B ), (53) 

So + base(iaf B ) — base(iaf x ) < Db(Tx), (54) 

So + base(iaf x ) — base(iaf A ) < Dx(Ta). (55) 


( Formula (51) is the Constraint (23), Formula (52) is the instantiation of Constraint (25) on aircraft X and A, Formula (53) 
is the instantiation of Constraint (29) on aircraft B, and Formulas (54) and (55) are the additional assumptions about 
aircraft A, B, and X.) 


Proof. Subtracting Formula (54) from Formulas (53), we get 

Ds(t) — Db(Tx) < base(iaf x ) + final + maz(mahf B ) — So. 

Formula (42) is derived as in Lemma 1. From Formula (32), Dx{Tx ) = 0. Therefore, using Formula (11) on X, 

Dx{Ta ) < (TA-Tx)Vm ax- 
Front Formulas (51) and (52), Tx < t. Using Formula (1 1) on B, 

(t — Tx)v min < Ds(t) — Db(Tx)- 


From Formulas (56) and (58), 


(56) 

(57) 

(58) 


t — Tx 


< 


base(iaf x ) + final + maz(mahf B ) — So 


(59) 
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Hence, 


Sa — *B (t) = 


> 

> 

> 

> 

> 

> 


Ds{t) — D A (t) + base(iaf A ) — base(iaf B ) 

D b (T x ) + (-Ds(t) - D b (T x )) - D A (t) + base(iaf A ) - base(iaf B ) 

So + base(iaf A ) — base(iaf x ) + (D B (t) - D B (Tx )) — D A (t), 
by Formula (54), 

So + base(iaf A ) - base(iaf x ) + (t - Tx)v min - (t - 7 a)i> max, 
by Formulas (42) and (58), 

So -F base(iaf A ) base (iof x ) ( 1 T x ^{v max tt m in ) -F ( 7 U T x ^v m ax 
S 0 + base(iaf A ) - base(iaf x ) - (t - T x )(v max - u min ) + D X (T A ), 
by Formula (57), 

2S 0 — (t - T a ,)(u max - Vmin), by Formula (55), 

2So — ( base(iaf x ) + final + maz(mahf B ) — So) t ' ma ' x 1,111111 , 

^min 

by Formula (59), 

2So — (L max + final + L m az — So)A„, by Formulas (8), (9), and (10). 


□ 


Note that the conclusions of Lemmas 2 and 3 could be replaced by 

min (Lmin final Lmaz A„ , 2So ( Lmax ~t~ final L m az So)A„) ^ S A — 

Furthermore, 


when 


and 


when 


Smaz — 2So ( L max “F final -F L maz S'o j A (; 


| t'm i t] ^ Lmin 'F final 

ttmax Sq 


St < Smaz , 


Lmaz A„ ^ So- 


(60) 

(61) 

(62) 

(63) 

(64) 


CONCLUSION 

This papers proposes a hybrid model that extends the discrete model presented in [Ref. 2], In contrast to the original 
model, the proposed model enables the verification of safety spacing requirements of SATS HVO operations. To this 
end, aircraft performances, such as ground speed ranges, and information about the SCA geometry, such as length of 
the approach segments, were integrated into the original model. Thus, in the hybrid model, the concept of operations is 
described by the continuous dynamics of aircraft and the discrete events within the SCA. Using theorem proving and model 
checking techniques, we have exhaustively explored the hybrid model and mechanically verified spacing requirements over 
all nominal operations. 

The SATS HVO development, excluding the PVS tools Besc, PVSio and ProofLite, is about 2800 lines of PVS specifi- 
cation and lemmas and 6500 lines of proofs. From these, 1600 lines of lemmas and 5900 lines of proofs were automatically 
generated using the PVS tools. 

From a practical point of view, the analytical formulas presented in this paper, e.g.. Formulas (5) and (6), can be used 
to configure a nominal SCA and the parameters of the baseline procedure for self-separation. For instance, consider a 
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Figure 5: Nominal SCA 


symmetric nominal SCA where base (left) = base(right) = 5 nm, final = 10 nm, and maz(left) = maz (right) = 13 nm. 
If the initial separation So is 6 nm and u m i n = 90 kt, u max = 120 kt, then 


Lmin — 7 ■/! 


mm — J^max 
Lmaz 

120 - 90 
”90 

The value of St is computed using Formula (5): 


= 


5 nm, 

13 nm, and 
1 

3' 


S T = 6 - 


5 + 10-6 
3 


3 nm. 


(65) 

( 66 ) 

(67) 


( 68 ) 


This configuration of the SCA satisfies Formula (62). Therefore, the value of Smaz can computed using Formula (61): 


q io 5 + 10 + 13 — 6 

Smaz = 12 = 4.66 nm. (69) 

Hence, if the initial spacing of the trail aircraft with respect to the lead aircraft is 6 nm, the S ATS HVO concept of operations 
guarantees a minimum spacing of 3 nm on final approach and 4.66 nm on missed approach. 


The analysis used in this paper can be extended to study Euclidean separation of aircraft on final approach and missed 
approach. Figure 5 illustrates a nominal SCA where aircraft on missed approach turn toward their missed approach zone a 
degrees with respect to the runway, fly a straight trajectory of M nautical miles, and then turn to their MAHF. A geometric 
analysis reveals that 


M 


min(5r, Smaz) 
2 


(70) 


achieves maximum separation for an arbitrary a. In this case, the minimum Euclidean distance D a that the concept 
guarantees for an aircraft on final approach and an aircraft on missed approach is given by 

D a = My/2(1 — cosa). (71) 


In the example above, the optimal value of M, given by Formula (70), is 1.5 nm. The minimum Euclidean distance 
between an aircraft on final approach and an aircraft on missed approach, for different values of a, is computed using 
Formula (71): 

• Dqqo = 1.5 nm. 

• Dgo° = 2.12 nm. 

• D 120 ° = 2.59 nm. 
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Increasing the initial spacing So to 7 nm yields the following values: St = 4.33 nm, Smaz = 7 nm, M = 2.16 nm, 
Dqo° = 2.16 nm, Dgo° = 3.06 nm, and D 120 0 = 3.75 nm. 

The mechanical verification is necessary to make sure that no cases were forgotten. For instance, the fact that Lem- 
mas 1, 2, and 3 are sufficient to prove the spacing requirements for all nominal scenarios is shown by enumerating all the 
possibilities (in this case 1 17) and mechanically proving all of them using these 3 lemmas. Formal proofs are the ultimate 
guarantee that the mathematical development presented here is correct. 
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